Enforce password for Ubuntu user on EC2 instances

Using linux (Ubuntu) instances on Amazon EC2 is a quite safe thing to do, at least measured by the security provided by the platform (security groups, ACL, physical security,..). I recommend reading their security site here. At the end of the day the server is only as secure as you configure it, if you choose to open all ports running services with their default configurations and password settings, Amazon can’t help you.

When connecting to a Ubuntu server with ssh you need to provide the keyfile (somekeyfile.pem) that you can download when creating the key pair.

Key file

This 2048 bit key is required to login as regular ubuntu user. What I dislike is the fact that this user can sudo all, so once someone manage to get into you user account, he has root access too. I recommend to set a password for the ubuntu user and change the sudoers configuration.

Change the password for user ubuntu

Open the sudoers include file

sudo vi /etc/suderos.d/90-cloudimg-ubuntu or sudo vi /etc/sudoers

change last line from

ubuntu  ALL=(ALL) NOPASSWD:ALL

to

ubuntu ALL=(ALL) ALL

Copy AMI between regions

Finally this feature is available and easy as the click of a button. While it was previously almost impossible and last year through snapshots only you can select any AMI and copy to another region. It makes my life much easier and I stop maintaining reference images for every region but can make use of one image only ! More info here.

AMI Transferral

Copy EC2 instance to another region

Is it finally possible ? While the AMI import tool is long awaited for but only available for Windows, it is rather a big hazzle to transfer manually (see this) any other OS ( my last attempt in 2010).

Today Amazon announced the EBS Snapshot Copy Feature (across regions). The intention is certainly to allow easy migration of data to another region, as you can copy the snapshot, create a volume and attach it to an instance. I was curious to try if I can migrate my Ubuntu instance to another region and it worked. You can use both command-line as well the AWS web admin.

• Create a snapshot of a volume in your source region
  

  Create Snapshot

• Continue reading →

Running Ubuntu 12.04 Desktop on EC2

To say it upfront: Usually there is no need to run an Ubuntu server with a desktop in the cloud. Whatever you do on the desktop you can do in a terminal too (assuming you dont want to use GIMP in the cloud). Here a little summary to get you started with a Precise Pangolin desktop running in the cloud.

Security: We will not use VNC, but NX. VNC is not secure (though can be tunnelled through SSH) and it works by sending compressed bitmaps of the screen, which is slower and less accurate than a NX server (X Server calls, Unix/Linux only)

Requirements: Amazon AWS account

Step-by-Step

• Log into your AWS account
• Optional: Create a security group with port 22 inbound only
  

  Security Group

  

  Port 22 only

  Continue reading →

Running EC2 spot instances

or ‘ Save ultimately more money with AWS’

I use EC2 instances for test, development, demo and also for deployment to production. Amazon offers different types of instances, ranging from a micro instance (613 MB Ram and 2 CPU units) to a full fledge Cluster Compute Quadruple Extra Large Instance (60GB RAM and 33 CPU units). Of course a different price and paid per hour usage, available anytime.

All on demand Linux instances (Singapore):

• Micro instance: U$ 0.02 per hour
• Medium instance: U$ 0.34 per hour
• High Mem/CPU instance: U$ 2.024 per hour

On top of this there are 3 different categories of instances (in contractual terms)

Some price comparison for a m1.Large instance we use for testing (7,5GB RAM and 4 CPU units)

• On Demand (any time without any contractual obligations, we are using them currently)
  $0.340 per Hour > 1 month U$ 244.80 (fulltime 24h)
• Reserved Instance (1 year term, one time payment U$ 276.00)
  U$ 0.196 per Hour > 1 month U$ 141.12 (3 months: U$ 699.36 vs on-demand U$ 734.40, 12 months: U$ 1969.44 vs. on-demand U$ 2937.60 = ~30% savings )
• Spot Instance (depends on availability, you bid on a price range, if price exceeds your limit your instance shuts down)
  U$ 0.04 per Hour (as of December 5th 2012) > 1 month U$ 28.80

The spot instance, almost at 10% of the on-demand price, is extremely attractive and I am using it as test server.
Not suitable for production or demo purpose though.

The reserved instance starts to break even after 3 months full-time usage !

In order not to pay for instances running idle (at night, weekend) they auto-shutdown and the user can start them in a self provision fashion (for test, demo or training).

Interesting enough, the price fluctuation is very different in the AWS regions. Lets look at a m1.large instance type in the Ireleand  versus Singapore datacentre.

AWS Ireland

 

AWS Singapore

Obviously Singapore customers are not into this bidding concept, it remains permanently at 4cts while for Ireland the price jumps up to several Dollars !

More information at:

• http://javadude.wordpress.com/2012/10/16/ec2-server-on-demand-without-elastic-ip/
• http://javadude.wordpress.com/2012/06/04/running-ftp-server-on-ec2-on-demand/
• http://aws.amazon.com/pricing/ec2/
• http://aws.amazon.com/ec2/instance-types/

Glassfish V3.1 running embedded ActiveMQ for JMS (Updates)

Last year I described all steps to get running with ActiveMQ embedded in Glassfish:

• Part 1
• Part 2
• Part 3

Some updates :
The current version of ActiveMQ is 5.7.0. Here some updated download links
activemq-web-console-5.7.0.war (link)
activemq-rar-5.7.0.rar (link)
activemq-ra-5.7.0.jar (link)
activemq-all-5.7.0.jar (from the main package)

Note: you need to re-deploy the resource adapter with version 5.7 and check all connector settings.

It works fine with Glassfish 3.1.2.2 and Java JDK 1.7.07

I had issues with the firewall due to fact ActiveQM uses a fix registration port for JMX but dynamic ports for the communication port. The web-console was not accessible.
“Exception occurred while processing this request, check the log for more information!”

Web Console

[#|2012-10-18T07:42:09.249+0000|WARNING|glassfish3.1.2|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=73;_ThreadName=Thread-2;|StandardWrapperValve[jsp]: PWC1406: Servlet.service() for servlet jsp threw exception
java.net.ConnectException: Connection timed out
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:391)

There are ways to configure this for a standalone ActiveMQ instance with the parameters connectorPort and rmiServerPort but I didnt find out yet how to do this with the embedded version.
As a workaround I changed this setting -Djava.rmi.server.hostname from my hostname to localhost.
-Djava.rmi.server.hostname=localhost

JVM Settings

EC2 Server on demand without elastic IP

or ‘Saving totally the most while using EC2′

We use a couple of EC2 servers which are not permanently running, rather on user-demand only. Without wasting money for elastic ip addresses (you are charged while they are NOT attached), we make use of the random public IP provided by AWS and update our Dyndns addess for this server.

• Create a DynDNS account if you dont have one
• Create a hostname (eg. sample.mydomain.net)
• Install Inadyn
  sudo apt-get install inadyn (for Ubuntu or debian)
• Add this line to a start-up script
  inadyn –username myuser –password mypwd –iterations 1 –alias sample.mydomain.net
  ( with iterations the command is executed only once)
  inadyn makes use of http://checkip.dyndns.com/ to retrieve the ip address

On top of it the server switches off automatically at nighttime (see blog entry)  and the user uses a little web frontend to start the server again on his/her own.

Amazon S3 plugin for Jenkins CI again

About once a year I revisit (link) this topic again (usually when the plugin causes trouble). Now I get this signature error

AWS Error Code: SignatureDoesNotMatch, AWS Error Message: The request signature we calculated does not match the signature you provided. Check your key and signing method., S3 Extended Request ID:..

The good news first:
The S3 plugin became mainstream, you can install it from the plugin page under Jenkins Administration | Plugin Manager. You dont need to build the plugin any longer by yourself and can skip the rest of this entry.

S3 Plugin

The long version:
It seems the error is caused by a ‘+’ sign in the access key troubling the encoding function used (see issue). The latest build (Sep 2012) should fix this problem.

If you want to build by yourself, you need to get the sourcecode from git and build the plugin file, beware as it requires Maven 3 now. Below instructions apply fro Ubuntu.

• sudo add-apt-repository http://ppa.launchpad.net/natecarlson/maven3/ubuntu
  from https://launchpad.net/~natecarlson/+archive/maven3
• sudo apt-get update
• apt-get install maven3
• Change to any folder and clone the plugin from https://github.com/jenkinsci/s3-plugin
  git clone https://github.com/jenkinsci/s3-plugin.git
• Build
  mvn3 install
• After a while of downloading dependencies you should get a hpi file for Jenkins

Upload plugin

 

 

Running FTP server on EC2 on demand

or ‘How to cut  (even more) cost while running EC2 instances‘

I am running a FTP server on an EC2 instance (micro if you want), but we dont use it all the time. The server is run on-demand only and auto-shutdown every night. The challenge: on every new start of the instance you will get a new public ip which screws your passive ip address configuration in vsftpd.conf.

• How to install and run vsftp on an EC2 Ubuntu instance.
• How to switch off a Ubuntu EC2 instance ? Add this to the crontab:

  login as root
  crontab -e
  add: 0 12 * * * /sbin/shutdown \-h now
  

• How to update vsftp.conf on start up ?

  pubip=`curl http://169.254.169.254/latest/meta-data/public-ipv4`
  
  sed "s/pasv_address=.*/pasv_address=$pubip/"  /etc/vsftpd.conf > /etc/vsftpdTEMP.conf
  rm /etc/vsftpd.conf
  mv /etc/vsftpdTEMP.conf /etc/vsftpd.conf
  service vsftpd restart
  

  curl http://169.254.169.254/latest/meta-data/public-ipv4 gives you the public IP address of your instance.

Remaining challenge: If you dont want to spend money on an elastic (permanent) IP which costs you while the instance is NOT running, you need a DNS service like dyndns.com and update the dyndns entry on every start too. This can easily done by a shell script using ddclient or Ubuntu’s dyndns command.

ZK goes EC2 (Part 3)

The third part of the tutorial where I improve a few things. I will not walk through the complete code but highlight a few important points and give you the complete sourcecode at the end.

To recap, my requirements:

• I want to allow users in my company to start and stop instances on their own without them login to AWS console.
• Only specific instances are available to them.
• Avoid using elastic IP’s (you pay for them if they are not assigned)
• Make it configurable

The improvements in this version:

• Remove the hardcoded access keys and place them encrypted in a properties file.
• Only instances that are not protected can be started or stopped.
• Update DynDNS entries from the application
• Some cosmetic cleanup of the control panel

Continue reading →